Splunk Search

Pulling 1-day old records

Contributor

Hi,

Let say I have field lastTime (sample value lastTime = 09/01/2019 11:52:31). There are records with lastTime reported > 1 day (24 hours) that I'd like to set the alert on. Is there a way I can pull these records?

Thanks,

Tags (2)
0 Karma
1 Solution

Contributor

Hi richgalloway - thanks again for giving help. I found an answer to another question and I think it's helpful:
... | eval ddateepoch = strptime(ddate, "%Y-%m-%d %H:%M:%S") | eval diffseconds = now() - ddateepoch | eval diffdays = diff_seconds / 86400

In my case, if diff_days>1 triggering an alert.

View solution in original post

0 Karma

Contributor

Hi richgalloway - thanks again for giving help. I found an answer to another question and I think it's helpful:
... | eval ddateepoch = strptime(ddate, "%Y-%m-%d %H:%M:%S") | eval diffseconds = now() - ddateepoch | eval diffdays = diff_seconds / 86400

In my case, if diff_days>1 triggering an alert.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Contributor

thank you.

0 Karma

Contributor

Thanks for helping. lastTime is a variable with value like 08/26/2019 11:20:01, but yes it can be the same as _time.
I mean 24 hr to the future. Let say: latencyTime = (now - lastTime) if latencyTime >24 hours, then fire the alert.

0 Karma

SplunkTrust
SplunkTrust

So to clarify further, lastTime can be the same as _time, but not always?
You say 24 hours to the future, but your example SPL computes 24 hours in the past. Which is correct?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Path Finder

Are you trying to identify latency between the events getting generated and the time that they are indexed?

0 Karma

SplunkTrust
SplunkTrust

Is lastTime the same as _time? Are you looking for lastTime values more than 24 hours in the past or in the future?

---
If this reply helps you, an upvote would be appreciated.
0 Karma